-1

I am new to this and just installed psad. I ran nmap several times on a server but psad didn't log this psad --Status.

I configured it like this: http://www.thefanclub.co.za/how-to/how-install-psad-intrusion-detection-ubuntu-1204-lts-server

My aim is to prevent port checking attacks.

LeMike
  • 179
  • 1
  • 8

1 Answers1

2

Psad does not prevent from being scanned, it will only help detect it. Moreover, you cannot really prevent it (unless you can set a closed whitelist of IPs), and the best you can do is react on psad messages using something like fail2ban filters. An example of a such filter being: 


[Definition]
failregex = psad: scan detected: .*
ignoreregex =

Define the DANGER_LEVEL_? thresholds in /etc/psad/psad.conf to something that suits your needs.

dawud
  • 15,096
  • 3
  • 42
  • 61
  • Thanks. So is it possible to detect a port check and start a script that bans the IP or other client info from accessing the server? How could it be done? – LeMike Apr 09 '13 at 09:17
  • As I outlined above, using fail2ban and adding that filter. Also review the psad.conf to define sensible thresholds. – dawud Apr 09 '13 at 09:39